Good practice notes

Shelf of files

In this section

  • Subject access requests and local authority housing records
    Guidance to help people who work in housing offices to deal with subject access requests.

  • Disclosure of employee information under TUPE

    This good practice note aims to explain what organisations need to do to comply with the Data Protection Act when providing information about their employees under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (commonly known as TUPE).

  • Advice to local authorities on disclosing personal information to elected members
    This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members.

  • Guidance on data security breach management
    This guidance sets out some of the things an organisation needs to consider in the event of a security breach. This note is not intended as legal advice, nor is it a comprehensive guide to information security. It should, however, assist organisations in deciding on an appropriate course of action if a breach occurs.

  • Notification of Data Security Breaches to the Information Commissioner’s Office
    The ICO has produced this guidance for organisations on the information we expect to receive as part of a breach notification and on what organisations can expect from us on receipt of their notification.

  • Security of personal information
    This good practice note aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold.

  • Training checklist for small and medium sized organisations
    High-profile security breaches have increased public concern about the handling of personal information. We recognise that some organisations have limited resources to devote to staff training. This note outlines some of the practical implications of the Act and is intended as a basic training framework for general office staff in small and medium sized organisations.

  • The exemption from notification for ‘not-for-profit’ organisations
    This note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under DPA 1998 for ‘not-for-profit’ organisations.

  • Publication of Examination Results by Schools
    This good practice note aims to explain to boards of governors, head teachers and school data protection officers how the Data Protection Act (the Act) affects the publishing of examination results.

  • The use and disclosure of information about business people 
    The aim of this good practice note is to explain to local authorities how the Data Protection Act applies to the sharing and use of information about business people. This could be information, for example, about a business person’s payment of business rates or the results of an environmental health inspection of his or her premises.

  • Collecting personal information using websites 
    This guidance is a set of frequently asked questions for anyone collecting personal information using websites.

  • Calling existing customers listed on the Telephone Preference Service
    This guidance explains the position regarding calling existing customers for marketing purposes when they are currently registered on the Telephone Preference Service (TPS) or who subsequently register.

  • Advice for the elected and prospective members of local authorities.
    This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members.

  • Checklist for handling requests for personal information (subject access requests)
    This guidance aims to assist small and medium sized organisations that receive requests for information covered by the Data Protection Act 1998.

  • The use of violent warning markers
    This good practice note explains to those working with the public how best to manage the use of violent warning markers.

  • Corporate Telephone Preference Service
    This good practice note explains how companies can register their telephone numbers with the Corporate Telephone Preference Service (CTPS), and the rules that apply to calling companies that have registered their numbers.

  • Releasing information to prevent or detect crime 
    This good practice note explains what you need to consider when you are asked to release personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. It is intended as a guide for organisations that do not normally receive requests of this kind.

  • Monitoring under section 75 of the Northern Ireland Act 1998 
    This good practice note aims to make clear that the Data Protection Act 1998 allows monitoring under section 75 of the Northern Ireland Act 1998. It also aims to provide advice for public authorities that are required to carry out such monitoring.

  • Automatic renewal of policies or membership by credit or debit card 
    This good practice note explains how insurance companies and other organisations can comply with the Data Protection Act 1998 when automatically renewing a policy, membership or other arrangement where a fee has to be paid. This note covers payment of fees by credit or debit card but not by direct debit.

  • Tied agents and independent financial advisors 
    This good practice note is aimed at firms of tied agents and independent financial advisors. It gives advice on common issues raised with the Information Commissioner about how to comply with the Data Protection Act. The term 'firm' includes sole traders and partnerships.

  • Outsourcing - a guide for small and medium sized businesses
    This good practice note sets out what you need to do to comply with the Data Protection Act when you outsource the processing of personal information. Typical examples would include outsourcing your payroll function or customer mailings. It sets out which parts of the Act are important when outsourcing and provides some good practice recommendations.

  • Buying and selling customer databases
    This good practice note explains what organisations need to do to make sure they comply with the Data Protection Act when buying and selling databases which contain customers' personal information. It is not intended to cover the purchase and sale of confidential personal information. This advice is for use when a business is insolvent or closing down or when as asset is being sold, either by the owner or an insolvency practitioner.

  • How does the Data Protection Act apply to recording and retaining professional opinions? 
    This good practice note aims to inform organisations and practitioners about some of the data protection issues that arise in relation to the information about individuals that they record in their professional opinions. The information in this note may also be of interest to individuals.

  • Pension trustees and their use of administrators 
    This good practice note explains to pension trustees how to comply with their obligations under the Data Protection Act 1998 when they use pension administrators to help them run a pension scheme.

  • Subject access and employment references 
    This good practice note clarifies how the Data Protection Act applies to employment references. The recommendations also apply to other types of reference, such as those provided for educational purposes.

  • Disclosing information about tenants 
    This good practice note answers some frequently asked questions from landlords about how the Data Protection Act applies to them, the information they hold about their tenants and information held on their behalf by a letting agent.

  • Charities and marketing 
    This good practice note explains what charities and voluntary organisations need to do to comply with data protection law when they carry out marketing activities.

  • Electronic mail marketing 
    This good practice note is aimed at helping businesses understand the 'dos and don'ts' of electronic mail marketing and gives an overview of the rules in the Privacy and Electronic Communications Regulations.

  • Individuals' rights of access to examination records
    This good practice note explains the right to access examination records under the Data Protection Act. The Freedom of Information Act also gives individuals the right to access other (non-personal) information held by public authorities.

  • Providing personal account information to a third party
    This good practice note is aimed at helping people to decide whether or not to give information to third parties calling on behalf on an account holder.

  • Taking photos in schools
    This good practice note is aimed at Local Education Authorities and those working within Schools, Colleges and Universities.

  • Getting it right: a brief guide to data protection for small businesses

  • Getting it right: small business checklist

Relevant downloads

View the document library

FAQs

Read all our FAQs